Question About Possible Hack of Site

kirkpete,

For bloggers who are not technologists, upgrading is an ordeal.

then those people should not be using wordpress. do you disagree?

(and while we’re at it, for the sake of this discussion how do you define technologist?)

and really, an “ordeal”?

hyperbole.

this kind of thread has popped up countless times..

The fact is that ALL PHP web apps MUST be upgraded and kept current. That someone is a new web master and has problems with that proccess doesnt make them immune to that fact, and doesnt provide an out should they not do it and suffer a successful attack.

Im sorry to those that dont want to hear that, but thats a fact, and its not going to change. There will, eventually, be public exploits for wordpress 2.8x.. you can count on it. And the wordpress devs will address those issues as they become aware.

thats ALL they can do. the rest .. like it or not.. is on you (generally speaking). You can only lead the horse to the water, you cannot make it drink.

you CHOSE to run an insecure version of wordpress. did you not?

I am NOT trying to be argumentative here, but youre not being intellectually honest.

Has anyone noticed that their flash image uploader no longer works? Maybe this is a function of disabling xmlrpc.php also disables the flash image uploader?

I went to add images to a post tonight and I get “HTTP Error” in the flash uploader when I click on “upload.” If I use the html version it works just fine, w/o issue.

I’ll dig into it in the morning, just wondering what others have seen.

I read these forums every day; a 5 page thread on a hack is going to get my attention, and I read it expecting to see something about 2.8.4.

There IS a lot of good info in this thread, even without that. That said, theres also a fair amount of virtual hand wringing, and blame-shifting, and references to things that arent possible in 2.8.4 that, frankly, needed to be corrected, and NO-ONE else was even bothering.. (see above)

Since I have as much right as anyone to post here, Ill say it and get it off my chest.

You cant seem to get your blog upgraded? Then GET HELP.

There are countless people on the WWW that do upgrades for little or NO cost.

That’s what I feel has to be driven home after 6 pages.

so there. call me a troll i really dont care. I’ll be here on these forums long after youve moved on from this thread.

@whooami wrote: “and is this entire thread about hacks to pre 2.8.4 installs???”

you go, girl! yes, this entire thread is actually about bad things that happen to people who don’t keep their WordPress installs current. amazing, isn’t it? 5 pages of this. (thanks for sharing!)

folks, you can’t upgrade “just once a year” because you “feel like it,” if you want the max protection available at any given time from WordPress. it IS your fault if you don’t/can’t/won’t keep your installs current – whether you do them yourselves or pay someone to do them.

it’s just laziness, not to upgrade, compounded by a lack of knowledge. btw, i have about 9 blogs. they all get upgraded when there’s a WP upgrade. is it a pita? yeah, kinda. but the whole thing is done in less than an hour – a small price to pay for keeping installs as safe as possible.

@kirkpete – a troll? whooami is the most knowledgeable WP person i’ve ever met. whooami just wants people to _think_ and learn. has donated hundreds, if not thousands, of hours to the message boards, teaching people, etc.

OKay.. so I have many sites on a shared hosting account each in their own directory.. several are running wordpress installations… today a majority of thise sites got hit with this hack. I am in the procerss of upgrading all to 2.8.4 and removing the index.php files that has the code in it from each affected directory.

Interesting thing is that many directories that do not have wordpress installed got this index.php file added to them also.

Anyway I need to know in laymans terms what else I need to do to make sure these are secure. Can someone please spell it out so that the ones that are already affected can be made safe.

Thank you,
SteveAx

So I’ve been on the case and although I can’t replicate the issue on my local servers, what has been described here in this thread sounds exactly like the security issue that was addressed in WordPress 2.8.1.

WordPress 2.8.1 was released on July 9th to address a security issue that was brought up by Core Security Technologies.

https://www.ads-software.com/development/2009/07/wordpress-2-8-1/

https://corelabs.coresecurity.com/index.php?module=FrontEndMod&action=list&type=advisory

If you take a read through their security bulletin, especially the proof of concept, it sounds exactly like what happened to the guy who started this thread with the Subscriber role and the escalation of privileges to the admin level. But that security bulletin centers around plugins so I’m not sure if it’s in use here. Also, WordPress 2.8.2 and 2.8.3 were released to fix a XSS vulnerability where comment author URLs were not fully sanitized when displayed in the admin but since the most this could do is redirect someone to a different webpage, doesn’t sound like it’s in action.

However, I’d like to hear specifically from anyone running WordPress 2.8.4 who have had this attack happen to them.

I found one who has the same problem with 2.8.4 -> https://www.netpassiveincome.com/wordpress-mysql-injection-permalink/

At the end he says that…

I had the same security breach today on my 2.8.2 site, including the same new users added since 8/30:
MikeWink
Miriam
Adrianq

But I could not find any admin user. The dashboard showed only one admin (1) = me. Looking in the wp usermeta database also yielded nothing, at least to my eyes. (I am not experienced with this stuff, but could not see anything easily.)

Here’s what I did:

I deleted the malicious code from the permalink structure.

I deleted old WP files, more or less leaving only theme files (NOT index.php from each theme– of which corrupted versions were scattered everywhere you can imagine, so I replaced these), wp-config.php, and .htaccess and robots.txt.

I reinstalled WP, upgrading to the latest 2.8.4.

Changed FTP and MYSQL and WordPress admin passwords.

I deleted old plugins and reinstalled each.

IS there anything I need to do to make sure I am secure and have not let anything corrupt linger from the old site?

Thanks!

IS there anything I need to do to make sure I am secure and have not let anything corrupt linger from the old site?

you appear to have covered everything. the important thing is to not miss any files with backdoors in them, php shells, that sort of thing.

deleting the files .. solves that, generally speaking. make sure that what you leave behind is clean. make sure that images are really images (often missed) — if you took notice of the timestamps on any of the files that had been altered, you probably want to go through your entire web space and look for any other files that have close or same timestamps.

an image file in your uploads/2009/07 directory with a timestamp from this month would be very suspicious, for instance.

Having looked into this in great detail as far as I can tell this exploit does not work against 2.8.4.

If anyone has evidence to the contrary – apache access_logs, POST data etc then please send them to us at [email protected] and we will investigate.

This answers one of the questions that I posted before: Why did the hacker need to make the permalinks dysfunctional? Because this is actually the first point of entry. So, he had to.

In other words: If your permalinks are OK right now, you were not hacked, yet.

Thank you for the help. I am upset I lost two hours of sleep over this, especially with a broken ankle that needs rest!

PS: I won’t be using ScribeFire in the near future, not worth the risk.

“since 2.8.4 is the latest, and REALLY thats where the focus ought to be, NOT on versions that shouldnt be being used anyway .. “

Get off your high horse dude. These presumptuous “shut up and upgrade” comments only reveal ignorance. People have good reasons to not upgrade. Matt can keep his rounded-for-IE corners! LOL.

Read this, maybe you’ll learn something – https://en.wikipedia.org/wiki/Telegard

f**k you, I presume nothing. and Im not a dude either.

People have good reasons to not upgrade.

yeah like broken plugins. yawn.

“hows that plugin working out for you now that your “shit” is hacked?

not so well huh? damn, lifes not too fair. here’s a hug for you.”

Maybe you need to do a little reading?

https://www.milw0rm.com/search.php?dong=wordpress

those are JUST the exploits that are easily gotten.

I dont think im the ignorant one here. My blog(s) arent hacked.

—

Furthermore, and heres the real issue — having a reason doesnt make it the best choice. Instead of patting people on the back and giving out virtual hugs when they experience this, maybe, JUST MAYBE, they need to be told that they made a bad choice???? You know, so they dont continue making bad choices?

Oh wait — thats wrong, we dont want to hurt anyone’s feelings, do we?? Instead, we can look forward to more virtual hand holding for the next 6 months, until the next round of clucks, and their friendly apologetics, pile onto the forums wondering wth happened to their blogs that they refuse to take care of.. theyre not technologists (wtf that is) .. they couldnt upgrade… they need that plugin … they “just wanna blog” … blah blah blah.

Im sick of it. Youre not alone on the Web. You share it. Its called the information “superhighway” for a reason.

Besides, I ALREADY said there was good info in the this thread — i was talking specifically about the suggestions that were made for people that WONT, for whatever reason, upgrade.

I think that registration open to everyone is critical to this hack. You also pointed this already, that this is a first step in the sequence. But there is one more interesting thing – the file from that chinese server has following call near its end:

update_option('users_can_register',0);

Looks that attackers disable the registration option just after new admin is created, to prevent others from exploiting this hole too.

One more thing: looks that this is the 1st phase of the attack. I suspect that in 2nd phase attackers will return to compromised logs, revert the permalink structure to original (or change to something valid) and start posting their spammy offers, links to other sites, badware or anything else.

“folks, you can’t upgrade “just once a year” because you “feel like it,” if you want the max protection available at any given time from WordPress. it IS your fault if you don’t/can’t/won’t keep your installs current – whether you do them yourselves or pay someone to do them.

it’s just laziness, not to upgrade, compounded by a lack of knowledge. btw, i have about 9 blogs. they all get upgraded when there’s a WP upgrade. is it a pita? yeah, kinda. but the whole thing is done in less than an hour – a small price to pay for keeping installs as safe as possible.

@kirkpete – a troll? whooami is the most knowledgeable WP person i’ve ever met. whooami just wants people to _think_ and learn. has donated hundreds, if not thousands, of hours to the message boards, teaching people, etc.”

You are hilarious.

– I don’t need “max protection” as I have something called a backup.

– I have several blogs too and I can make changes to all of them at once, with one click, in 1 second.

– There’s a good chance I may never upgrade. If I really want a new feature I can code it myself.

– I don’t need a “jazz inspired” admin panel.

– Whooami is just a guy who discovered the Internet in 1993. You should get out more.